bogdyutzu
commented
11 years ago +1 for this
Closed AnAkkk closed 11 years ago
bogdyutzu
commented
11 years ago +1 for this
ConnorMcLeod
commented
11 years ago +1 "developer" command is one of commands that should be blocked, because then, config.cfg can be written even in read only mode.
txdv
commented
11 years ago what about connect/redirects?
AnAkkk
commented
11 years ago The "connect" command is already blocked AFAIK, the client won't do anything if it's received from a server. If there are other redirect exploits they're probably done in an other way.
txdv
commented
11 years ago so this means death to xredict?
alfred-valve
commented
11 years ago yes, a horrible horrible death to all those honey pot servers. #1189 is a bug to allow a legit method for redirect. Blocking random commands from a server is something that we will do.
Xalus
commented
11 years ago I think a dialog for everything the server wanna change of client settings and also redirecting to another server and everything, would be the best result.
AnAkkk
commented
11 years ago A dialog for redirection would probably be good, but I don't think there should be a dialog for other client settings. Players that never used the console/commands wouldn't understand what's happening. There is no reason a server would need to change client settings.
LaurentiuAndrei
commented
11 years ago Think about plugins like amxss which use send the "snapshot" command to the player's console. But! I suggest to block only the one with "cl" in the beginning.
AnAkkk
commented
11 years ago Valve isn't allowing admins to take screenshots on the Source engine and don't want to, I don't know see why they would on CS 1.6. An admin could loop the snapshot command to annoy a player and fill his disk of screenshots.
EDIT: Anyway this is pointless, hacks just disable themselves when the snapshot command is called.
LaurentiuAndrei
commented
11 years ago Well then it would be just awesome to block this communication between server and client.
EDIT : This will actually solve my problem which consists in the fact that the server is FLOODING me with the fps_101 command at every 1.0 seconds. I just hate it.
LevShisterov
commented
11 years ago There is at least one widely used client command that is sent from server: spk.
AnAkkk
commented
11 years ago @alfred-valve, am I supposed to reopen this in the halflife tracker, or do you still look at issues in this one?
txdv
commented
11 years ago general statement of whether we are supposed to reopen or not would be nice.
LevShisterov
commented
11 years ago There is also "echo" command which is widely used for printing info to client.
alfred-valve
commented
11 years ago I am actively watching the halflife tracker, not this one, so re-opening a bug in that tracker and pointing to this bug will increase the chances of your bug being looked at :)
AnAkkk
commented
11 years ago
It's been known since a long time now that admins are able to send any commands to the clients, thus mess up their config. It's quite annoying to join a server and find out that all of your binds have been changed, etc. Servers can even open/close the players cd tray with the "cd" command. I don't want to download annoying sounds from servers, and I am setting cl_allowdownload to 0. Guess what? The server forces cl_allowdownload to 1 before it starts downloading the sounds.
The fix shouldn't be to make your config read only and restart the game every time this happens. Servers just shouldn't be able to execute any commands on the clients, as it's the case on Source engine. Only the few commands that are required for the game to work should be allowed to be executed.